[tor-bugs] #17604 [Tor]: Try to use only one canonical connection

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 23 06:14:01 UTC 2015 

#17604: Try to use only one canonical connection
-----------------------+------------------------------
 Reporter:  mikeperry  |          Owner:  mikeperry
     Type:  defect     |         Status:  needs_review
 Priority:  Medium     |      Milestone:
Component:  Tor        |        Version:
 Severity:  Normal     |     Resolution:
 Keywords:             |  Actual Points:
Parent ID:  #16861     |         Points:
  Sponsor:             |
-----------------------+------------------------------
Changes (by mikeperry):

 * status:  needs_revision => needs_review


Comment:

 Ok, after implementing the periodic check that Roger suggested, and after
 much chutney testing and code spelunking, I changed strategies here.
 Instead of granting canonical status to *more* things, I decided to add
 some checks so that relays are more likely to *agree* on their canonical
 status (inspired in part by Roger's comment at
 https://trac.torproject.org/projects/tor/ticket/6799#comment:14). For
 this, I use NETINFO peer address information to compare against what we
 are advertising for our router address, and if they disagree, the other
 side probably won't think we are canonical.

 I then changed channel_is_better() to not only prefer older connections,
 but also prefer connections where we think the peer will decide we are
 canonical. With these updates to channel_is_better(),
 connection_or_set_bad_connections() will mark all of these "half-
 canonical" orcons as bad for circs if we ever have a "full-canonical"
 option available for use instead. It will also mark younger orcons as bad
 for circs, as it is actually better to prefer old orcons when defending
 against Torscan attacks. Orcons will still live for a max of 1 week
 regardless, though. I did not change that.

 Here is the commit:
 https://gitweb.torproject.org/mikeperry/tor.git/commit/?h=netflow_padding-v4&id=d0a3ddd7814745a0760cc38b7d86e113e9be8b51

 Oh, it also turns out that we're already vulnerable to the attack in
 comment:1, because all a rogue node has to do is list its rogue address in
 its NETINFO cells, and it gets marked canonical. It is only non-canonical
 connections that get their real_addr checked by
 channel_tls_matches_target_method(). Do we care about that? I did not
 change that behavior in this patch at all. I merely noted the issue with
 an XXX in the source.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17604#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list